Security News > 2021 > September > FinFisher malware hijacks Windows Boot Manager with UEFI bootkit
Commercially developed FinFisher malware now can infect Windows devices using a UEFI bootkit that it injects in the Windows Boot Manager.
"During our research, we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager replaced with a malicious one," Kasperksy researchers revealed today.
"This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks. UEFI infections are very rare and generally hard to execute, and they stand out due to their evasiveness and persistence."
UEFI firmware allows for highly persistent bootkit malware as it's installed within SPI flash storage soldered to computers' motherboard making it impossible to get rid of via hard drive replacement or even OS re-installation.
They provide attackers with control over an operating systems' boot process and make it possible to sabotage OS defenses bypassing the Secure Boot mechanism since it depends on the firmware's integrity.
"While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine," the researchers added.
News URL
Related news
- Hackers abuse Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics (source)
- Detecting Windows-based Malware Through Better Visibility (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware (source)
- New Cuttlefish Malware Hijacks Router Connections, Sniffs for Cloud Credentials (source)